[PATCH] D39125: [inlineasm] Fix crash when number of matched input constraint operands overflows signed char

Daniil Fukalov via Phabricator via llvm-commits llvm-commits at lists.llvm.org
Fri Oct 20 08:29:36 PDT 2017 

dfukalov created this revision.
dfukalov added a project: AMDGPU.
Herald added subscribers: eraman, nhaehnle, wdng.

In a case when number of output constraint operands that has matched input operands
doesn't fit to signed char, TargetLowering::ParseConstraints() can try to access
ConstraintOperands (that is std::vector) with negative index.


https://reviews.llvm.org/D39125

Files:
  include/llvm/IR/InlineAsm.h
  lib/IR/InlineAsm.cpp
  test/CodeGen/AMDGPU/InlineAsmCrash.ll


Index: test/CodeGen/AMDGPU/InlineAsmCrash.ll
===================================================================
--- /dev/null
+++ test/CodeGen/AMDGPU/InlineAsmCrash.ll
@@ -0,0 +1,8 @@
+; RUN: llc -march=amdgcn < %s
+
+define void @foo(i32* %ptr) {
+  %tmp = tail call { i32, i32, i32, i32, i32, i32, i32, i32, i32, i32, i32, i32, i32, i32, i32, i32, i32, i32, i32, i32, i32, i32, i32, i32, i32, i32, i32, i32, i32, i32, i32, i32, i32, i32, i32, i32, i32, i32, i32, i32, i32, i32, i32, i32, i32, i32, i32, i32, i32, i32, i32, i32, i32, i32, i32, i32, i32, i32, i32, i32, i32, i32, i32, i32, i32, i32 } asm "nop", "=v,=v,=v,=v,=v,=v,=v,=v,=v,=v,=v,=v,=v,=v,=v,=v,=v,=v,=v,=v,=v,=v,=v,=v,=v,=v,=v,=v,=v,=v,=v,=v,=v,=v,=v,=v,=v,=v,=v,=v,=v,=v,=v,=v,=v,=v,=v,=v,=v,=v,=v,=v,=v,=v,=v,=v,=v,=v,=v,=v,=v,=v,=v,=v,=v,=v,0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,52,53,54,55,56,57,58,59,60,61,62,63,64,65"(i32 2, i32 2, i32 2, i32 2, i32 2, i32 2, i32 2, i32 2, i32 2, i32 2, i32 2, i32 2, i32 2, i32 2, i32 2, i32 2, i32 2, i32 2, i32 2, i32 2, i32 2, i32 2, i32 2, i32 2, i32 2, i32 2, i32 2, i32 2, i32 2, i32 2, i32 2, i32 2, i32 2, i32 2, i32 2, i32 2, i32 2, i32 2, i32 2, i32 2, i32 2, i32 2, i32 2, i32 2, i32 2, i32 2, i32 2, i32 2, i32 2, i32 2, i32 2, i32 2, i32 2, i32 2, i32 2, i32 2, i32 2, i32 2, i32 2, i32 2, i32 2, i32 2, i32 2, i32 2, i32 2, i32 2)
+  %tmp2 = extractvalue { i32, i32, i32, i32, i32, i32, i32, i32, i32, i32, i32, i32, i32, i32, i32, i32, i32, i32, i32, i32, i32, i32, i32, i32, i32, i32, i32, i32, i32, i32, i32, i32, i32, i32, i32, i32, i32, i32, i32, i32, i32, i32, i32, i32, i32, i32, i32, i32, i32, i32, i32, i32, i32, i32, i32, i32, i32, i32, i32, i32, i32, i32, i32, i32, i32, i32 } %tmp, 0
+  store i32 %tmp2, i32* %ptr, align 4
+  ret void
+}
Index: lib/IR/InlineAsm.cpp
===================================================================
--- lib/IR/InlineAsm.cpp
+++ lib/IR/InlineAsm.cpp
@@ -163,6 +163,7 @@
           return true;
         // Note that operand #n has a matching input.
         scInfo.MatchingInput = ConstraintsSoFar.size();
+        assert(scInfo.MatchingInput>=0);
       } else {
         if (ConstraintsSoFar[N].hasMatchingInput() &&
             (size_t)ConstraintsSoFar[N].MatchingInput !=
@@ -170,6 +171,7 @@
           return true;
         // Note that operand #n has a matching input.
         ConstraintsSoFar[N].MatchingInput = ConstraintsSoFar.size();
+        assert(ConstraintsSoFar[N].MatchingInput>=0);
         }
     } else if (*I == '|') {
       multipleAlternativeIndex++;
Index: include/llvm/IR/InlineAsm.h
===================================================================
--- include/llvm/IR/InlineAsm.h
+++ include/llvm/IR/InlineAsm.h
@@ -101,7 +101,7 @@
     /// input constraint is required to match it (e.g. "0").  The value is the
     /// constraint number that matches this one (for example, if this is
     /// constraint #0 and constraint #4 has the value "0", this will be 4).
-    signed char MatchingInput = -1;
+    int MatchingInput = -1;

     /// Code - The constraint code, either the register name (in braces) or the
     /// constraint letter/number.
@@ -128,7 +128,7 @@
     /// input constraint is required to match it (e.g. "0").  The value is the
     /// constraint number that matches this one (for example, if this is
     /// constraint #0 and constraint #4 has the value "0", this will be 4).
-    signed char MatchingInput = -1;
+    int MatchingInput = -1;

     /// hasMatchingInput - Return true if this is an output constraint that has
     /// a matching input constraint.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: D39125.119658.patch
Type: text/x-patch
Size: 3729 bytes
Desc: not available
URL: <http://lists.llvm.org/pipermail/llvm-commits/attachments/20171020/741f496b/attachment.bin>

More information about the llvm-commits mailing list